The leaked source code of the Carberp Trojan has spawned numerous malware variations, and a new one has emerged showing increased sophistication.
The new Bolek banking Trojan is a polymorphic file malware that targets both 32-bit and 64-bit versions of Windows and can perform a broad variety of actions on the infected machines: it can perform web injections, traffic interception, can take screenshots, can execute keylogging functions, and can also steal login credentials from online banking applications.
What’s more, the malware can establish reverse RDP (Remote Desktop Protocol) connections (back connect). According to Doctor Web researchers, who say that the Trojan also inherits a series of characteristics from Trojan.PWS.Panda (Zeus), Bolek can launch a local SOCKS5 proxy server and HTTP server to perform CMD commands.
PhishMe security researchers, who say that Bolek is based on repurposed KBot source code from Carberp, also explain that the Trojan uses multiple tricks to hinder detection and analysis efforts. The malware employs clever import functionality and also leverages a complex methodology to ensure it gains persistence on the infected machine.
During infection, the Trojan abuses svchost.exe or winlogon.exe processes to execute operations. It also maintains certain runtime values in memory, including the command and control (C&C) domains, as well as some of the bot configurations. The malware stores the configuration data in JSON and can send a great deal of data to the C&C server, including versioning, file hashes, and installed applications.
Each time it is executed on the infected PC, the malware creates a randomly-named file folder in the Windows System32 directory and places three files in it. These files include a randomly-named .exe (a system app copied from system32), a .dll (imported by the exe at first runtime), and another file with a different, also random, file extension. The malware modifies the DLL by injecting malicious code into DllEntryPoint and other functions and leverages the legitimacy of the executable and its imported .dll for persistence.
Researchers also discovered that the malware can be configured to become a worm, which allows it to self-propagate from one machine to another. It also includes the ability to receive updates, meaning that its operators can easily shift tactics mid-campaign if they want to.
Arbor Networks’ Dennis Schwarz explains that Bolek is communicating with the C&C server via HTTP POST requests and that it uses encryption to secure the communication. The malware uses public key cryptography but does not employ RSA for its crypto needs, as other banking Trojans do. Instead, it uses elliptic curve cryptography, namely Curve25519 as a key exchange mechanism between host and server.
“Two Curve25519 key pairs are created by the malware and the public keys are sent to the C2 server—one (mypublic) in the post_data_format structure and the other (mypublic2) in the data_header structure,” the researcher says. Data is encrypted using AES-128 encryption and HMAC-SHA1 is used to ensure the integrity of the encrypted data, Schwarz also explains.
According to the Arbor Networks researcher, the Bolek botnet they analyzed was focused on Russian banks and Bitcoin related sites, but the malware was also observed targeting users in Poland. Its infrastructure was also used in phishing campaigns against Canadian telecoms and online banking, as well as for the distribution of Android malware, but it’s unclear if the same actor operates all three.